pki work, and keystone cert generated
ignore retry files
load variables for localhost as wel
split root/intermediate generation
use array for creating server certs
configure openstack with certs from server via lookup('file',...
move root CA cert to old location, testing
indent ssl info
more places where the CA cert is used
don't have juju self-manage certs
juju requires certs be base64 encoded (not documented)
install both root/intermediate CA certs, as juju/trusty apache is too old to support chaining
provide ca/im chain to juju keystone config
yaml error
updated name for onos source per jono
fixed the onos-fabric-install role
whitespace
copy CA certs to compute node
stop wasting time
diagnostically print contents of /usr/local/share/ca-certificates/ dir
Change-Id: Idbd4891736b07690a260bf3d117c547de1ae7424
diff --git a/roles/pki-intermediate-ca/defaults/main.yml b/roles/pki-intermediate-ca/defaults/main.yml
new file mode 100644
index 0000000..24801d3
--- /dev/null
+++ b/roles/pki-intermediate-ca/defaults/main.yml
@@ -0,0 +1,16 @@
+---
+# pki-intermediate-ca/defaults/main.yml
+
+pki_dir: "{{ playbook_dir }}/pki"
+
+# crypto parameters
+ca_digest: "sha256"
+ca_size: 4096
+ca_im_days: 730
+
+# passphrases for the certificate
+ca_im_phrase: "{{ lookup('password', 'credentials/ca_im_phrase length=64') }}"
+
+# noninteractive csr subject
+ca_im_subj: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU=Test Deployment/CN=CORD Test Deployment Intermediate CA"
+
diff --git a/roles/pki-intermediate-ca/tasks/main.yml b/roles/pki-intermediate-ca/tasks/main.yml
new file mode 100644
index 0000000..8485dc2
--- /dev/null
+++ b/roles/pki-intermediate-ca/tasks/main.yml
@@ -0,0 +1,117 @@
+---
+# pki-ca/tasks/main.yml
+
+- name: Create intermediate CA directory
+ file:
+ dest: "{{ pki_dir }}/intermediate_ca"
+ state: directory
+
+- name: Create intermediate CA openssl.cnf from template
+ template:
+ src: openssl_im.cnf.j2
+ dest: "{{ pki_dir }}/intermediate_ca/openssl.cnf"
+ force: no
+
+- name: Create subdirs for intermediate CA
+ file:
+ dest: "{{ pki_dir }}/intermediate_ca/{{ item }}"
+ state: directory
+ with_items:
+ - certs
+ - crl
+ - csr
+ - newcerts
+
+- name: Create private CA directory
+ file:
+ dest: "{{ pki_dir }}/intermediate_ca/private"
+ state: directory
+ mode: 0700
+
+- name: Create serial file
+ copy:
+ dest: "{{ pki_dir }}/intermediate_ca/serial"
+ content: "01"
+ force: no
+
+- name: Create empty index file if it doesn't exist
+ copy:
+ dest: "{{ pki_dir }}/intermediate_ca/index.txt"
+ content: ""
+ force: no
+
+- name: Save intermediate passphrase to intermediate_ca/private/ca_im_phrase
+ copy:
+ dest: "{{ pki_dir }}/intermediate_ca/private/ca_im_phrase"
+ content: "{{ ca_im_phrase }}"
+ mode: 0400
+
+- name: Generate intermediate key
+ command: >
+ openssl genrsa -aes256
+ -out {{ pki_dir }}/intermediate_ca/private/im_key.pem
+ -passout file:{{ pki_dir }}/intermediate_ca/private/ca_im_phrase
+ {{ ca_size }}
+ args:
+ creates: "{{ pki_dir }}/intermediate_ca/private/im_key.pem"
+
+- name: Set permissions on intermediate key
+ file:
+ dest: "{{ pki_dir }}/intermediate_ca/private/im_key.pem"
+ mode: 0400
+
+- name: Create intermediate CSR
+ command: >
+ openssl req -config {{ pki_dir }}/intermediate_ca/openssl.cnf
+ -key {{ pki_dir }}/intermediate_ca/private/im_key.pem
+ -passin file:{{ pki_dir }}/intermediate_ca/private/ca_im_phrase
+ -new -sha256 -subj "{{ ca_im_subj }}"
+ -out {{ pki_dir }}/intermediate_ca/csr/intermediate_ca_csr.pem
+ args:
+ creates: "{{ pki_dir }}/intermediate_ca/certs/intermediate_ca_csr.pem"
+ environment:
+ KEY_ALTNAMES: ""
+
+- name: Create intermediate cert from CSR with root CA
+ command: >
+ openssl ca -config {{ pki_dir }}/root_ca/openssl.cnf -batch
+ -extensions v3_intermediate_ca
+ -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
+ -days {{ ca_im_days }} -md {{ ca_digest }}
+ -in {{ pki_dir }}/intermediate_ca/csr/intermediate_ca_csr.pem
+ -out {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
+ args:
+ creates: "{{ pki_dir }}/intermediate_ca/certs/im_cert.pem"
+
+- name: Verify intemediate cert
+ command: >
+ openssl verify
+ -CAfile {{ pki_dir }}/root_ca/certs/ca_cert.pem
+ {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
+ register: im_verify
+ tags:
+ - skip_ansible_lint # diagnostic command
+
+- name: Assert that verify of intermediate cert succeeded
+ assert:
+ that: "'OK' in '{{ im_verify.stdout }}'"
+
+- name: Get the root cert into ca_cert var
+ command: >
+ openssl x509 -in {{ pki_dir }}/root_ca/certs/ca_cert.pem
+ register: ca_cert
+ tags:
+ - skip_ansible_lint # concat of files
+
+- name: Get the intermediate cert into im_cert var
+ command: >
+ openssl x509 -in {{ pki_dir }}/intermediate_ca/certs/im_cert.pem
+ register: im_cert
+ tags:
+ - skip_ansible_lint # concat of files
+
+- name: Create intermediate cert chain
+ copy:
+ dest: "{{ pki_dir }}/intermediate_ca/certs/im_cert_chain.pem"
+ content: "{{ im_cert.stdout }}\n{{ ca_cert.stdout }}"
+
diff --git a/roles/pki-intermediate-ca/templates/openssl_im.cnf.j2 b/roles/pki-intermediate-ca/templates/openssl_im.cnf.j2
new file mode 100644
index 0000000..6647d83
--- /dev/null
+++ b/roles/pki-intermediate-ca/templates/openssl_im.cnf.j2
@@ -0,0 +1,107 @@
+# Created by openssl_im.cnf.j2, configured by ansible
+
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir = {{ pki_dir }}/intermediate_ca
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.randfile
+
+private_key = $dir/private/im_key.pem
+certificate = $dir/certs/im_cert.pem
+
+crlnumber = $dir/crl/crlnumber
+crl = $dir/crl/im_crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# Make new requests easier to sign - allow two subjects with same name
+# (Or revoke the old certificate first.)
+unique_subject = no
+
+default_md = {{ ca_digest }}
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = {{ ca_im_days }}
+preserve = no
+
+# for CA that signs client certs
+policy = policy_loose
+
+[ policy_loose ]
+# Allow the intermediate CA to sign more types of certs
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+default_bits = {{ ca_size }}
+default_md = {{ ca_digest }}
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+x509_extensions = v3_intermediate_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Some defaults
+countryName_default = US
+stateOrProvinceName_default = California
+localityName_default = Menlo Park
+0.organizationName_default = ON.Lab
+organizationalUnitName_default = Test Deployment
+emailAddress_default = privateca@opencord.org
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:TRUE, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = ${ENV::KEY_ALTNAMES}
+
+[ user_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
+extendedKeyUsage = clientAuth, emailProtection
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
+